TLDR:
- CMMC Level 3 certification is becoming a requirement for DoD work
- A hybrid approach blending FedRAMP High and commercial cloud can help organizations meet requirements efficiently
Blending FedRAMP High and a commercial cloud environment can be an efficient way to reach CMMC Level 3 while optimizing security and costs. This article by Andrew Bream, VP of enterprise IT at SOSi, highlights the importance of CMMC Level 3 certification for organizations handling sensitive government information, especially for those pursuing Department of Defense work. It introduces 24 additional advanced requirements beyond the current NIST SP 800-171 standard, making the certification process more rigorous with mandatory third-party assessments and limited use of Plan of Action and Milestones (POA&M).
Implementing a hybrid approach that combines a FedRAMP cloud for classified information and a commercial cloud for unclassified information can result in cost savings and operational efficiencies. This approach requires meticulous planning to meet CMMC standards, establish governance policies, and ensure robust data management and access controls across environments. By leveraging integrated tools like identity and access management, security information and event management, and data loss prevention systems, organizations can achieve secure and interoperable multi-tenant environments.
Ultimately, a hybrid cloud approach offers a tangible pathway to CMMC Level 3 compliance, balancing financial and operational burdens for smaller defense industrial base organizations. Andrew Bream emphasizes the importance of scoping the CMMC Level 3 environment properly, identifying critical data flows, and preparing for third-party audits to maximize benefits and minimize costs while meeting stringent cybersecurity standards.